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Abstract 

Security of complex systems is an important issue in software engineering. 
For complex computer systems involving many actors, security protocols are 
often used for the communication of sensitive data. Actor key compromise 
(AKC) denotes a situation where the long-term secret key of an actor may 
be known to an adversary for some reasons. Many protocols are not secure 
enough for ensuring security in such a situation. In this paper, we further 
study this problem by looking at potential types of attacks, defining their 
formal properties and providing solutions to enhance the level of security. 

case studies, we analyze the vulnerabilities (with respect to potential 
AKC attacks) of practical protocols, including PKMv2RSA and Kerberos, and 
provide solutions to enhance the level of security of such protocols. 

1 . Introduction 

Security of complex systems is an important issue in soft¬ 
ware engineering. For complex computer systems involving 
many actors, security protocols are often used for the commu¬ 
nication of sensitive data. However, security protocols are not 
always secure enough, because of reasons including that there 
may be weakness in the methods for generation of secrete 
keys, storage of keys and so on. If an actor’s key is revealed 
and used by an adversary to impersonate another party com¬ 
municating with the actor, then there is a key compromise 
impersonation (KCI) attack HI, and then the attacker may 
obtain sensitive data through such an impersonation. Actor 
key compromise (AKC) attack is a generalization of this kind 
of attacks. This has been studied in ||2|, where this property is 
formalized and conditions under which it can and cannot be 
achieved are identified. 

Previous works focus on KCI attacks in the domain of 
key establishment protocols. In a and SI some concrete 
two-party protocols have been studied and countermeasures 
to prevent such attacks provided. The type of KCI attacks 
is classified in 0 and 0 based on whether the responder 
authenticates the initiator, and use digital signatures and time- 
stamps as a help. m is the first to study security attribute 
of group key exchange protocols under KCI attack. The 
first computation model of KCI is provided in E). Then 
0 provides a systematic analysis of the consequences of 
compromising the actor’s secret key and countermeasures, and 
shows both constructive and impossibility results. 

There are additional issues that need to be investigated. 
Firstly, the classification of KCI attacks based on adversary’s 


capability of eavesdropping and sending messages is generic 
and may not reveal the particular feature of such attacks. 
Furthermore, providing definitions of attack types may make 
it easier to analyze the vulnerabilities and then modify the 
protocol for enhancing security. Second, the work in ||2l 
focuses on the problem where a given actor may have the 
secret key being compromised, and we focus on solutions for 
enhancing the security in case one of the actors (however, 
which one is unknown) has the secret key being compromised, 
and we also consider multi-party protocols and a different type 
of security claims. Third, no practical algorithms have been 
provided in transforming a protocol into an AKC resilience 
one, which is also important for the practical use of the 
methods. 

The purpose of this work is to provide practical solutions 
for transforming protocols to achieve higher security levels 
against AKC attacks. The work includes classifying types of 
AKC attacks and providing their formal definitions, furnishing 
solutions, and providing practical algorithms. 

The rest of this paper is organized as follows. Section 2 
introduces the modeling framework and gives formalization 
of security properties. In Section 3, we classify four types 
of AKC attacks and give formal definition of the attacks. In 
Section 4, we propose solutions to prevent such attacks. We 
present case studies in section 5 and concluding remarks in 
Section 6. 

The proofs of the propositions and corollaries, and the 
algorithms for the transformation of protocols are to be found 
in the appendix. 

2. Preliminaries 

We follow the formal framework for protocol specification 
and the execution model defined in comii. 

2.1. Protocol Specification 

A partial function from Ai to K is denoted f : X ^ Y. 
The domain and range of / are denoted doin{f) and ran{f), 
respectively, /[a i—6] denotes a function /' such that f'{a) = 
b, and otherwise it coincides with /. We write ( sq , ■■■,Sn) to 
denote the sequence of elements from sq to s„. 


Let A, R, Fresh, Var, Func, and TID denote sets of agents, 
roles. Fresh and so on. TID contains two distinguished thread 
identifiers. Test and HcIa which stands for a thread of an 
arbitrary agent and that of an adversary thread. 

{tiid binds the local term t to the protocol thread identified 
by tid. By pk{X) we denote X’s asymmetric long-term public 
key, and sk{X) denotes the corresponding secret key. The 
superscript n in FunclTermF) denotes the arity of parameter. 
Const is a special case of Func with arity 0. The use of 
symmetric cryptography and hashing is not sufficient to ensure 
AKC resilience ||2]. For brevity, we do not consider symmetric 
cryptography in this paper and therefore omit symmetric 
cryptographic terms in the definition of the basic elements 
of protocols. 

Definition 1 (Terms): 

Term ::= Al | 7^ | Fresh \ Var 

I Fresh^"’"^^ \ | Func{T erm^) 

I {Term, Term) \ {Term^Term 
I sk{A) I pk{A) I sk{TV} I pk{TZ) 

We define RoleTerm as the set of terms that have no 
subterms in Al U Fresh^'^^^, and RunTerm as the set of 
terms that have no subterms in 7^ U Fresh. A role term is 
transformed into a run term by applying an instantiation from 
the set Inst: 

TID ^ ((7^ ^ Al) U {{Fresh U Var) ^ RunTerm)). 

We define a binary relation h on terms, where M \- t 
denotes that the term t can be inferred from the set of terms 
M. Let t~^ denote the inverse function on terms such that for 
all agents a, {pk{a))~^ = sk{a) and {sk{a))~^ = pk{a), and 
for all other terms, t~^ = t. Let tQ,...,tn € Term and let 
/ S Func. The relation h is the smallest relation satisfying; 

t € M ^ M \- t 
M h fi A M \- t2 ^ M £ (^ 1 ,^ 2 ) 

M h {ti}t2 A M h (^ 2 ) ^ M h ti 
M h fi A M h ^2 TVf h {fi}t2 
/y M [-ti ^ M \-f{to, ...,tn) 

0<i<n 

The subterm relation C is defined as the reflexive, transitive 
closure of the smallest relation satisfying the following, for all 
terms fi, and function names /; 

tl E {tl,t2), t2 E (^ 1 ,^ 2 ) 
tl E ^2 E {tl}t2 
tl E pk{ti), tl E sk{ti) 

U E f{ti, -An) forl<i<n 

The accessible subterm relation Eocc identifies potentially 
retrievable subterms, is defined as a subset of subterm relation 
such that tl Eacc {^ 1 ,^ 2 ) and ^2 Eacc (^ 11 ^ 2 )- In order 
to identifies position of pk{a) and sk{a), we define another 
subterm relation Eace such that ti Eace 


Definition 2 (Event): Let Claim be a given set of claims 
including the following claims commit, running, secret, 
nisynch. Let Label be a set of labels. The set of events is 
defined as follows. 

RoleEvent :: = sendLabei{Ti,TZ, RoleTerm) 

I revcLabei{Ti'^Ti'T RoleTerm) 

I claimLabei{'R, Claim),Tl\[, RoleTerm]) 

RunEvent :: = create{TZ, A) 

I sendLabei{A, A, RunTerm) 

I revcLabei{-^T^, Run-Term) 

I claimLabei{A, Claim), A\[, RunTerm]) 

AdvEvent :: = LKR{A) 

Event :: = RoleEvent ] RunEvent ] AdvEvent 

RunEvent describes how agents start threads, send and 
receive messages. LKR{a) is an event where the adversary 
compromises a’s long term secret key. The AdvEvent is 
executed in the single adversary thread tidA- 

As an example, the event 

sendi{Alice, Rob, \^n }s/c(A/zce)) 

denotes that Alice sends Bob a nonce in the run tid 

and encrypted with its secret key. 

An event e has an event-type and a label which are denoted 
evtype{e) and label{e), and the contents of a send-event e is 
denoted cont{e). 

In order to simplify the typing constraint, in the following, 
e, e' stand for events, p, p' stand for sequence of events, r, r' 
stand for roles, a, b stand for agents, I, I' stand for labels, t, t' 
stand for role terms and run terms (should be clear from the 
context), m, n stand for run terms that are used in a message, 
tid,tidi,tid 2 for TID. Let A be a set. A sequence y of 
elements of X is denoted y S X*. An element a in a sequence 
y is denoted a G y. The operation • denotes the concatenation 
of two sequences. The powerset of X is denoted pow{X). 

A sequence of RoleEvent is well-formed, if all variables 
initialized in an accessible position in a recv event are not 
used before that event. Let vars{X) denote the set of variables 
appearing in X. 

well f ormed{p) 
yp,l,a,b,t,p',v : 

p = p' ■ {recvi{a,b,t)) ■ p" 

^ {v Eacc t^v^ vars{p'). 

A protocol is a partial function from TZ to Event* together 
with a function that formalizes which terms may be stored in 
a given variable. For each role, the sequence of events must 
be wellformed. 


Definition 3 (Protocol): Let 11 : 72 . ^ Event* and typeu : 
Var ^ pow{RunTerm). If for all r S domijl), n(r) is 
wellformed, then {Yi^typeu) is a protocol. 

For convenience, we extend the domain of typeu to Run- 
Term such that typeu{t) for a run term t is the set of run 
terms such that variables in t is substituted according to the 
initial typeu- 

In a protocol, a label I is associated with a send-role and a 
receive-role, denoted respectively sl{l) and rl{l), defined by 
sl{l) = r, if label{e) = I and, e = sendi{r,r',t) S n(r) or 
e = recvi{r, r', t) G n(r') for some t\ rl{l) = r', if label{e) = 
I and, e = sendi{r,r',t) S n(r) or e = recvi{r,r',t) G 

n(/). 

2.2. Execution Model 

Protocol execution is modeled as a labeled transition system 
(State, RunEvent,^, So). A state s = (tVs, AKs,ths,<7s) 
consists of a trace tvg G (TIDx (RunEvent U AdvEvent)), 
the adversary’s knowledge AKg, a partial function thg G 
TID ^ RunEvent* and a role and variable instantiation 
fJs G Inst. We denote as{tid) as as.ud, and trs{i) as tvs.i 
which is the i-th event of the trace. The initial state sq is 
(0, AiTo,0,0) where AKq = {a,pk{a) | a G .4} U : 

n G Fresh} is the initial adversary knowledge. 

The operational semantics of a protocol is defined by a 
transition system which are composed of execution rules from 
Fig 1 with a selected subset of adversary rules in Fig 2 . The 
create rule starts a new thread of a protocol role R. The send 
rule sends a message m to the network and add it to adversary 
knowledge. The receive rule accepts message if it match the 
pattern pt. The claim rule states a security property that is 
expected to hold. The LKRactor rule allows the adversary to 
learn the long-term keys of the agent executing the test run. 

Let the protocol {A, typeu) with an initial role R G 
dom(n), and a set of adversary rules A be given. If there is 
a rule such that s —>■ s', then we write s —^n,typen,Ji,A s'. 
The set of reachable states denoted RS(II,typeu, R, A) is 
{s I So —>'n,typen.J?A possible traces of the 

protocol (n, typeu) is denoted Traces(11, typeu). 

In a state s, we have a trace trg and each thread in the trace 
is created by a role. The special thread Test is created by R. 
Let roles ■ TID —>■ 72 be a function that identifies a tid with 
a role in s. Then roles(Test) = R and roles(tid) = r', if 
(tid,create(r',cfs(r'))) G trs- 

2.3. Security Property 

Security properties are modeled as reachability proper¬ 
ties. A secrecy claim on a role term t is of the form 
claimi(r, secret, t) for some label I and role r. 

Definition 4 (secrecy claim): Let s be a state. If 

7 = claimi(r, secret, t) is a secrecy claim on t, and 
(Test,as,Test(l*'^'"'*)) G trs, then 

S h 7 ^ AKs F CTs,Test(t*'^'"‘*) 


The following two properties are related to data agreement. 

The commit property means that the initiator agree on some 
data with the responder. The nisynch property means when¬ 
ever initiator I completes a run of the protocol with responder 
R, then R has previously been running the protocol with /, and 
the two agents agreed on all the variables. A commit claim on 
a role term t is of the form claimi(r, commit, r', t) for some 
label I and roles r and r'. A corresponding running claim for 
such a commit claim is of the form claimi(r', running, r, t). 
Definition 5 (commit claim): Let s be a state. If 
7 = claimi(r,commit,r',t) is a commit claim, and 

(Test, as,Test(l*'^''“*)) G trs, then s ^ 7, iff 

• there is a tid such that roles(tid) = r' , and 

• there is a running claim 8 = claimi(r',running,r,t) 
such that (tid, as,Test(8)) G trs, and there exists a send- 
event e, such that (tid, e) G trs, t Qacc cont(e). 

Let denote the total order of events in a sequence 
(for the sequence of events (si, 62,60), we have 61 <r 62, 
62 <r 63, and 61 <r £3). The order on events which is 
induced by the communications is defined as £1 —->■ 62 
3l,r,r',ti,t2 : £1 = sendi(r,r',ti) A 62 = recvi(r,r',t2). 
The transitive closure of the union of the role event order 
and the communication relation is called the protocol order 
Ap = UUrGK <r.)'^. prec(cl) is the set of causally 

preceding communications of a claim event labeled with cl: 
prec(cl) = {( I recvi(_,_,_) claimci(...)}. 

Let tidinsts 72 ^ pow(TID) denote the function that 
maps roles to runs according to trs of the state s. Let ev(trs,i) 
denote e iff trg^i = (tid, e) for some tid. 

A nisynch claim is of the form claimi(r, nisynch) for 
some r and I for stating the correspondence between send- 
messages and recv-messages. 

Definition 6 (nisynch claim): Let s be a state. If 

7 = claimi(r, nisynch) is a nisynch claim, and 

(Test, as.Test( a'^'^'"'*^)) = tvg.k for some k, then 

s ^ 7 4Ayi' G prec(l), a, b, m, 

yj < k,tid G tidinsts(rl(l')) : 

(ev(trs.j) = recvv (a,b,m)'^'''"^ 

^ < j,tid' G tidinsts(sr(l')) : 

(ev(trs.i) = sendi'(a,b,m)'^'^'‘^ ) 

A protocol is AKC secure if its security claim holds 
under AKC attacks. This property has been formalised in 
Q. Here we use (A, typeu) \=A 7 to denote that for all 
s G RS(A, typeu, R, A), s ^ 7. 

Definition 7 (Actor key compromise security, AKCS): 

Let (A, typeu) be a protocol, R G dom(A), A an ad¬ 
versary (represented by a set of adversary rules) such that 
LKRactorn.R G A, and 7 G n(i?) a security claim. 7 is 
actor key compromise secure (AKCS) in (A, typeu) with 
respect to A if (A, typeu) \=A 7- 

For the correctness of security properties, we assume that 
no asymmetric long-term secret keys appear in accessible 
positions in any messages of a protocol, in the subsequent 
sections. 


R^dom{H) tid^{dom{th))\j{tidAiTest'\ r , -i 

{tr^AK,th,a)^{tr-{{tid,create{R,a{R)))) ,AK,th[tid\-^G' ,cr[i 2 rfi—>-cr'jy ^IlJ 

_ th{tid)^{sendi{a,h,m))-seq _r«pnHl 

{tr^AK^th,G)—^{tr-{{tid,sendi{a,b^m))),AK\j\m}dh\tid\-^seq]^G) ^ ^ 

th{tid) — {recvi{a,b,pt))-seq dom{G')—vars{pt) {'^xGdom{G')){G'{x)^typen{x)) AK\-G'{pt)r -i 

{tr,AK,th,a)^{tr-{{tid,recvi {a,b,(T' (pt)))) ,AK,th[tidi-^G' (seg)] ^altidi-^Gtid^f^']) U^^^typejj \ 

th{tid) — {e)-seq evtype{e)—claim f 1 ' 1 

{tr,AK,th,a)—^{tr-{{tid,e)).AKdh[tidi—^seq],(T) 

Fig.l. Execution-model rules 

a=tTTBat{R) a^{(TTcat{R')-R'edom{n)\{R}} _ 1 

{tr,AK,th,a)^{tr-({tidA,LKR{a)),AKULTK(a),th,a)) dlactorn,R\ 

af{aTaetiR)-R&dom{n)] \ T K f? 1 

{tr,AK,th,<T)^{tr-{{tidA,LKR{a))),AKVJLTK{a),th,a) [^^^othersIl\ 

Fig. 2 . Adversary-compromise rules 


3. Attack Types 

Understanding adversary’s techniques to launch attacks and 
their attack objectives is helpful in identifying weakness of 
protocols. Some work has been done on categorizing attacks 
with traditional Dolev-Yao adversary model. In iia, there 
is a classification of known-key attacks, where they study 
AK protocols and categorize attacks based on adversary’s 
capability of modifying messages. In ifTSll one-pass two-party 
key establishment protocols under KCI attacks are studied, 
two classes of KCI attacks are described. Here we study types 
of attacks under stronger adversary models. Furthermore, we 
provide the formal definition of such attacks based on the trace 
model and techniques for fixing such protocols are provided 
in the next section. 

Secrecy Attack One purpose of a protocol is to transmit a 
secret nonce from an initiator to a responder. In order to keep 
the nonce secret. The initiator will encrypt the nonce with the 
responder’s public key, which is not safe if intruders knows 
the responder’s secret keys. 

Definition 8 (Secrecy attack): 

Let (n, fj/pen) be a protocol, R G TZ, t G RoleTerm. 
If 3 s G RSiU,typen,RA), AK, h 

then there is secrecy attack on t, which we denote 
SecrecyAttack{t, H, typeu)- 

Example Suppose that the initiator wants to transmit a secret 
nonce to the responder before setting up a session key. In 
order to keep the nonce secret, the initiator will encrypt the 
nonce with the responder’s public key, which is not safe 
if intruders knows the responder’s secret keys. Consider the 
CCIT-banl llT 9 l protocol as follows. 

I ^ R: 

/, jTu, R^ An, jKo., \^h(ish{Y(x) }sfc(7) 

Clearly, there is secrecy attack on Ya, if the secret key of 
the responder is known to the intruder. 

Substitution Attack An attack of this type occurs in a 
situation when an initiator and a responder try to use fresh 
values or secret keys to authenticate each other. The main 
characteristics of this type of attacks is that the adversary 
replaces terms in a message with another terms without being 
discovered. 


Let Matchs{a,Udi,b,Ud2) denote that the thread tidi 
instantiated by the agent a is the corresponding thread com¬ 
municating with tid2 instantiated by b according to a, of the 
state s. In other words, Matchs{a,tidi,b,tid2) iff there is 
r,r' such that as,udi{r) = a and as,tidi{r') = b for i = 1 , 2 . 

Let m[x/y] denote m' derived from m by replacing y in 
m with X. Let L be a subset of labels, S and S' be sets of 
terms, and ^ be an access relation. The predicate Replace is 
defined as follows. 

Replace{s, L, S, S', tid) ^ 

31 G L, m, m', a, b', tid', 

X G S, y G S', y ^ X, x < m' : 
tid' G tidinsts{sr{l)) A tid G tidinsts{rl{l))/\ 
Matchs{a, tid', b, tid)/\ 
3 k.{ev{trsA = recvi{a, b, 

Vj < k.{ev{trsj) = sendi{a,b,m')'^*'‘'^ 

^ m! = m[x/y\) 

In a substitution attack, the adversary eavesdrop the message 
and modify some of its fresh values by its own fresh values 
and transmit it to the receiver of the message. 

Let Finish{s,Ud) denote the thread tid has been com¬ 
pleted in s, i.e., every event in the sequence ths{tid) has a 
corresponding event in tr,- 

Let S = {tU f(t) I t G Fresh*, f G Func} and S' = 
{t U f{t) I t G AdvFresh*, f G Func}, where AdvFresh 
denote the subset of Fresh used by the adversary. 

Definition 9 (Substitution Attack): For a security pro¬ 
tocol (n, typeu), there is a substitution attack, if 3 s G 
RS{Il,typeu, R, A) and a tid such that Finishes, tid) and 
Replace{s, Label, S, S',Qacc, tid) hold, which we denote 
SubAttack{Il, typeu)- 

Example Consider the Bilateral Key Exchange (BKE) proto¬ 
col as an example, which is supposed to guarantee the secrecy 
of kir and agreement on nr and ni. 

1 . I ^ R: {ni,I}pu(R) 

2 . R ^ I : {hashijii), nr, R, 

3 . I ^ R : {hash{nr)}f;ir 

The protocol is vulnerable to substitution attacks. If the 
intruder (denoted Daucc) knows the secret key of Bob (an 









agent of the role R), he can decrypt message 2 using the 
secret key, and constructing another message 2’ using its own 
nonces. In this way, the adversary impersonate Bob to Alice 
(an agent of I) and break agreement of ni and nr between 
them: 

1. Alice —)■ Bob : {ni, Bob{pk(Bob) 

2. Bob DAlice : {hash{ni), nr, Alice, kir}pk{Aiice) 

3. DAlice decrypts message using sk{Alice) 
and learns hash{ni) 

4. DAlice chooses nr', kir' 

and constructs {hash{ni), nr', Alice, kir'{p^i^AUce) 

5 . DAlice —>■ Alice : {hash{ni), nr', Alice, kir'}pi^(^Aiice) 

6. Alice -A DAlice '■ {hash{nr')}j,ir- 

Role-mixup Attack An attack of this type has the result that 
the participating entities do not agree on who is playing what 
role in the protocol. We use Termin{s, L) to denote that there 
exists some label I G L which contains role name in accessible 
position and there is no matching send-events for a recv-event 
in the trace. 

Terminus, L, tid) AA- 
31 G L, a, b, m, n, tid' : 
tid' G tidinsts{sr{l)) A tid G tidinsts{rl{l))A 
Matchs{a, tid', b, tid)A 
3k.{ev{trs^k) = recvi{a,b,m)'^'’'‘^ )A 
Vj <k,l' G Label.{ev{trsj) = sendii{a,b,n)'^^'"^ 

^ I ^l') 

The role-mixup attack states that the messages which has 
agent names in accessible position have been replaced by the 
adversary, or the public(secret) key of some agent may be 
replace by other agent’s public(secret) key, or the adversary 
forged a message with agent names in accessible position to 
impersonate another party. 

Definition 10 (Role-mixup attack); Let {Il,typeYi) be 
a protocol, L be the subset of Label such that agent 
names are accessible in the corresponding events, i.e. L = 
{I I 3a,e.{label{e) = I A a Eacc conf(e))}, S = {pk{a) U 
sk{a) I a G A}. The role-mixup attack of (If, typeu), denoted 
RoleMixupAttack{Il,typeu), is defined as follows. 

RoleMixupAttack{Jl,typeYi) AA 
3s G /(S'(If, typen, R, A), tid : 

Finish{s, tid)A 

{Replace{s, L, A, A, Eaco i'id) V Terminus, L, tid)\/ 
Replace{s, Label, S, S, Eacej tid)) 

Example Consider the isoiec-9798-3-5 EOll protocol as an 


example: 

1. A ^ B : Cert{A), RA, Textl 

2. i? —>■ A : Cert{B), RB,Text2 

3. B ^ A : RB, RA, A,Text6, {RB, TA, A,Text5}sk{B) 

A. A B : RA, RB, B,TextA, {RA, RB, B, Text3}sk(A) 

The protocol is vulnerable to role-mixup attacks. In this 
protocol Bob and Alice want to agree on fresh values RA, 
RB, Texts and Textb. The attack is shown in Fig 3, in 
which the adversary listens to the message between them and 
impersonate Alice and Bob, such that Alice assumes Bob as 
B and Bob assumes Alice as B, however both Alice and Bob 
are acting as A. 

Parallel Attack In the environment that the same protocol has 
run as several threads, the authentication may not be preserved 
because A may communicate with B in the first thread, and 
with C which has run the same protocol later, but A still 
assumes he is communicating with B. 

Definition 11 (Parallel Attack): Let (If, typen) be 
a protocol. The parallel attack of (If, typen), denoted 
ParallelAttack{Il,typeu), is defined as follows. 

ParallelAttack{Il,typeu) ^ 

3s G RS(n,typen, R, A), I, a,b, m, 

3k, tid G TID.{ev{trs,k) = recvi{a, b, to)^‘*‘^)A 
Vy < k,tid' G tidinsts{sr(l)) : 
{ev{trs,j) = sendi(a,b,m)'^'"^ 
=A\Matchs{a, tid', b, tid)) 

Example Consider the following protocol, in which the two 
agents authenticate each other using three nonces. 


1. 

A^ B 

{na{ sk{A) 

2. 

B ^ A 

{h{na,nb),nb}sk(B) 

3. 

A^ B 

{h{nb,nc),nc}sk(A) 

4. 

B ^ A 

{h{nc)}sk{B) 


The protocol is vulnerable to parallel attack when Alice has 
two runs of the protocol. The adversary can forge the message 
in the second run, which makes Bob initiate a session with 
Alice in run 1 but receive the last authentication message in 
run 2. We show the attack in Fig 4. 

4. Preventing Attacks 

In this section, we give constructive methods for avoiding 
potential AKC attacks. In m, transformations to achieve 
unilateral security is provided. Our work tries to provide trans¬ 
formations that achieve bilateral secrecy and agreement, and 
instead of using secret keys to achieve agreement, we use hash 
function and public keys to achieve agreement. The argument 
here is that the content encrypted by public keys will not be 
compromised easily, and we can use hash function to commit 
values to be used as short term keys. Another particular point 




Fig 3 


I Alice in role B Bob in role A Alice in role B 

I Assumes A-> Bob Assumes B-> Alice Assumes A-> Bob, 



Fig 4 


of our work is to use a special tag including role names to 
prevent role-mixup attack. Furthermore, we modify the n- 
party NSL protocol in order to achieve the higher agreement 
property nisynch, which illustrates the practicability of the 
approach. 

4.1. Resilience of Secrecy Attack 

In 12, a tagging function for the transformation is provided. 
We recall that the function Tc and the restricted one Tc\s 
defined as follows . 

Definition 12 (Tagging function) Let c S Const, Tc : 


Term —)■ Term, then for all S Term : 

{ t, if t atomic or long-term key, 

('rc(fl),Tc(f2)), iff=(fi,<2), 

{T-c(fl),c}^^(t3), ift = {ti}t^, 

/(Tc(fl),...,Tc(f„)),c), iff = 

Tcis denotes the modification of Tc which restricts the do¬ 
main of Tc to some set S of terms to avoid tagging unnecessary 
terms. 

The transformation in Fig 5 shows how to ensure AKCS of 
secrecy. Three messages are added: the first one is a constant 
asking for a nonce, the second one contains an encrypted 
nonce, and the third one contains the secrecy encrypted by 
the nonce and the public key together. The last two works like 
encrypting secrecy with two pair of keys, which the adversary 
at most compromise either pair of them, thus achieving AKCS 
of secrecy for both sides. Here we add different constant tags 
on message to ensure the secrecy. 

Let typersin) = typen, M = {k,C 2 }pk{R), N = 
{{m,C3}k}pk(R'), and 

Si = {sendi^{R, R', Request), recvi^iR', R, M), 
sendi,j{R, R', N), claimi^(R, secret, m)) 

S 2 = {recvi^{R,R!, Request), sendi^{R',R,M), 
recvi,^ (R, R!, N), claimi,^ [R!, secret, m)) 

S = : typeu{{t}t') n typeTS(n){M) ^ 0} 

U {{t}t' ■■ typeni{t}t>) n typeTS{n){N) ^ 0} 















































4.2. On Substitution and Parallel Attack 



Fig.5. Transforming 11 for secrecy of m in both R and R'. 


The formal definition of the transformation is as follows. 

f T-ci|s(n(i?)) • 51, ifx = R, 
TS{n)ix) = I V|s(n(i?)) • 52, ^/ X = R\ 

[ Tc^|s(n(x)), otherwise. 

Since no asymmetric long-term secret keys appear in acces¬ 
sible position in a sent-message (a requirement stated at the 
end of Section 2), and it can be proved 121 that the adversary 
can not reveal or infer the peers’ asymmetric long-term secret 
key, except the one the adversary knows through the given 
adversary rule. The proof of the following proposition uses the 
fact that adversary cannot forge the last message, therefore m 
only appears in accessible position of {m,cz]k- The secrecy 
of m depends on secrecy of k and pk{R'), which cannot be 
compromised at the same time. The reader is referred to the 
appendix for details. 

Proposition 1 (Secrecy by asymmetric encryption): 

Let ii, R' € domijl) where R ^ R'. Let A, A' an adver¬ 
sary which can compromise R and R' long-term secret key 
respectively, ci, € 2 , 03 , Request G Const, /i, ( 2 , ^ 3 , ^ 4 , ^5 S 
Label and all of them are unequal and unused in If. Let k, 
n G Fresh, m G RoleTerm such that n Cqcc w and k, n 
all be unused in If. If {TS {A), typer sin)) is a protocol and 
typersin) = typen ■ 

{TS{U), typer Sin)) l=.4 claim^{R, secret, m) 

{TS (A), typer Sin)) \=A' claimi^{R', secret,m) 

Then we can obviously get that [TS (A), typer sin)) 
^SecrecyAttack{m,TS{A),typersin))- 

4.1.0.1. Remarks. The idea of adding messages to ensure 
secrecy is similar to that of H. The difference is that the 
purpose here is to ensure bilateral secrecy (i.e., no matter 
which key is compromised, the secrecy of m is guaranteed). 


One way to prevent parallel attack is to tag each message 
with a hash function which includes all the previous variables. 
If the adversary wants to disorganize one message between 
different threads, it has to learn all the previous variables from 
both sides which is very hard. In order to prevent substitution 
attack, we can also take advantage of hash function by 
including new fresh and old variables together in one hash 
function. Then the adversary cannot forge a message using its 
own fresh because of the use of hash functions. We use this 
technique in the following transformation function and prove 
that the commit property can be achieved with AKC attacks. 

The transformation in Fig 6 shows how to ensure AKCS of 
agreement. We assume m G Fresh occurs in If and keeps 
secret. We add two messages; the first one contains hash 
function of m and n, where n is not used in the previous 
events. The second one is a response using hash of n. The 
hash function here works like a signature, where it takes use 
of m or n’s secrecy to ensure that the adversary can not forge 
the message. 



Fig.6. Transforming If for agreement on n for both R and 

R'. 

Let typer Ain) = typen, N = {h{n), csjp^H'), M = 
{h{m,n),n,C 2 }pkiR), and 

51 = (recvi^iR', R, M),claimr{R, commit, R',n), 

claimi^ (R, running, R', n), sendi^{R, R', N)) 

5 2 = {claimr{R', running, R,n), sendi^{R', R, M), 

recv^{R, R', N), claimi^ [Ft! , commit, R, n)) 

5 = {{t}t' ■■ typen{{t}t') n typerAin){M) 0} 

U {{t}t' ■■ typen{{t}t') n typerAin){N) + 0} 

The formal definition of the transformation is then as 






































follows. 


f'rci|s(n(i?)) • 5'i, ifx = R, 

TA(Il)ix) = I r,,|s(n(i?)) • ^2, ifx = R', 

[ rcj| 5 (n(x)), otherwise. 

Proposition 2 (Agreement by hashing): 

Let R,R! e dom{I\) such that R ^ R'. Let A, A' be 
adversaries which can compromise R and R' long-term secret 
key respectively. Let ( 1 ,( 2 , ^ 3 , ^4 G Label and ci, 02,03 G 
Const all be different and unused in If, to, n € RoleTerm, 
and A an adversary such that Vs € RS{Il,typeu, R, A), 
AKs L aa^Test{m). If {TA{A)AypeTA(ii)) is a protocol and 
typ^TAin) = typeu, then 

[TA{ir), typerA{n)) \=a claimi^{R, commit, R',n) 

{TA{Il),typeTA{n)) \=A' claimi,^{R', commit, R,n) 

The reader is referred to the appendix for a proof This kind 
of transformation is resilient against substitution and parallel 
attack. 

Corollary 1 (Resilience of Substitution Attack) If the 

original protocol is resilient against substitution attack, then 
the modified protocol keeps this property; 

-^SubAttack{Il, typeu) ^ ^SubAttack{TA(jr),typeTA{n)) 

Corollary 2 (Resilience of Parallel Attack) If the original 
protocol is resilient against parallel attack, then the modified 
protocol keeps this property: 

-^ParallelAttack{Il, typeu) 

^ -^ParallelAttack{TA(n), typexAin)) 

The two corollaries is used to transform protocol induc¬ 
tively. We can assume a protocol to be empty at first, then 
add each message based on proposition 2 to ensure agreement. 
The reader is referred to the appendix for the proofs of the 
corollaries. 

4.3. Resilience of Role Mixup Attack 

For preventing role-mixup attacks, we find a special kind of 
tags, which contain all role names encrypted by secret keys, 
very useful. Let t,ti,...,tn G Term be terms. Let AR{x) = 
{dom{n) \ a:}gfc( 3 ;), the tagging function Vx{t) is defined as 
follows. 


{ t, if t atomic or a long-term key, 

{Vx{tl),Vx{t 2 ),AR{x)), ift= {ti,t 2 ), 
{vxiti),AR{x)}t^, ift = {ti}t2. 

Let Vx ■ Term -A Term extends to Event* -A Event* 
by replacing all terms in the event sequence accordingly. This 
will then provide a transformation function ri?(n) such that 

ri?(n)(x) = r;,(n(x)). 

Assume that the content of every message is composite (in 
contrast to atomic terms) and any send-event has response. 
Then this transformation is helpful for preventing role-mixup 


attack. The reason is that, if we consider agent names as 
fresh values, then based on proposition 11 in ||2|, every two 
parties which communicated with each other agree on all the 
agent names. Because the communication among parties can 
form a strongly connected graph, so all parties agree on the 
agent names. Then if there is role-mixup attack, there exists 
reachable state s such that either Replace or Termin function 
holds. Since each party has agreed on which agent instantiated 
which role, replacement or forgery can detected by the agents. 

In the following, we apply this technique together with the 
transformations provided in Propositions 1 and 2 to achieve 
nisynch-property of multi-party protocols. 

AKCS in Multi-Party Authentication Protocols Multi-party 
protocols are more vulnerable to AKC attacks as a result of 
complicated communications among patties. We consider a 
family of multi-party NSL protocols, which are brought up 
by M- The protocols are vulnerable to AKC attacks. Let 
the protocols be denoted {lip, typeu ) where p denotes the 
number of parties in the particular protocol. 

The approach for the transformation is as follows. We first 
modify messages between each pair of parties, and add hash 
function tags in them to prevent substitution and parallel 
attack. Then we combine the messages between each pair to 
form a new protocol, and finally add AR{x) tags to prevent 
role-mixup attack. Let ng, ...,np-i G Fresh, Rq, ..., Rp-i G 
TZ, and 

^A{i) — {{^ 0 ; ■•■7 ' eii , 

AUb( i) {^(^07 ■ • ■ 7 7 -^ 0 7 ■ ■■ 7 hdp— 1 ), n±,ni^ pi„(^Bq) 

Afci'l) ~ {^(^i-t-l 7 •■•7 1)7 trj+27 ■•■7 

Then we define the i’th protocol message, for 0 ^ i < 
2 p — 1, by 

( MA{i), if fl^i<p-l, 

Msg{i) = \ MbH), ifi=p-l, 

[Mc{t), if p-1 <i <2 p-l. 

Here we simplify the tag function Vx{t), because it is suffi¬ 
cient to tag only the first round of communication in one acces¬ 
sible position. Furthermore, we encrypt fresh with secret key 
in Ma to ensure the agreement. Let /07 •■■7 hp-i^^Oi •■•7 Wp-i 
be labels, and Si and S 2 be defined as follows. 


Si ={sendig{Ro, Ri, Msg{0)), 

recvi^_,{Rp-i, Ro, Msg{p - 1)), 
sendi^{Llo,Ri,Msg{p- 1)), 
claimmoiRo, nisynch)) 

S2{i) ={recvi._^{Ri^i,RiMsg{i- 1 )), 
sendi. {Ri, Ri+i,Msg{i)), 
recvi,^^ {Ri-i,Ri, Msg{i + p)), 
claimrm {Ri, nisynch)) 

The modification of a such a protocol {Ilp,typeUp) is as 
follows (with typeu^ keeps unchanged). 


TM{np){x) 


Si, if X = Ro, 

S 2 {i), if X = Ri {0 < i ^ p- 1 ). 


This transformed protocol has the same structure as the 
original one with each message replaced by the given ones. 
The correctness with respect to the nisynch claim is stated in 
the following proposition and proved by using the fact that, the 
message encrypted by asymmetric secret key or contain hash 
functions on secret nonce can achieve agreement between two 
parties. The reader is referred to the appendix for a proof. 
Proposition 3 (Multi-party NSL agreement): 

Let(TM(np), fypej’jvr(np)) be the transformed protocol, with 
dom{TM{Iip)) = {Rq, ..., Rp-i}. Let Aq, ..., Ap-i be adver¬ 
saries which can compromise the respective long-term secret 
key of Ri. Let ')(x) = claimm^{Rx, nisynch). Then 

TM{np),typeTM(nx)) * = 0, ...,p- 1. 

5. Case Studies 

Many protocols are vulnerable under AKC attacks, with 
examples shown in Section 3. We have applied the above 
techniques to enhance the security level of such protocols. In 
accordance with the transformation provided in Propositions 
1, 2, we transform these protocols into AKCS ones. Table 1 
shows part of the results of experiments using the Scyther tool 
ESI after that we have applied the transformation scheme. 
means the property is not required for the protocol. For ^ we 
means the property holds for each party in the protocol (after 
the transformation). 


TABLE 1: Protocol Experiment 


protocol 

secrecy 

nisynch 

Bilateral Key Exchange 

kir(V) 

V 

CCIT-banl 

Ya(y) 

V 

CCIT-ban3 

Ya,Yb(V) 

V 

isoiec-9798-3-5 

- 

V 

NSL 

ni,nr(^) 

V 

PKMV2RSA 

prepak (^) 

V 

Kerberos 

KrlV) 

V 

TMN 

ST(V) 

V 

Splice/AS 

N2(V) 

V 

Cardholder-Registration 

PAN{^) 

V 


In the following, we demonstrate how the three prac¬ 
tical protocols, PKMV2RSA, Kerberos and Cardholder- 
Registration protocols, are transformed. We give the original 
model of these protocols, point out the AKC attack on autho¬ 
rization and secrecy in them and transform the protocol based 
on the propositions. 

5.1. PKMV2RSA 

PKMV2RSA ESI is a subprotocol of WiMAX, which 
known as a wireless access system to deliver the ’’last mile” 
wireless broadband access. The subprotocols are used for 
authentication, key management, and secure communication. 
Among them, PKMV2RSA authenticates the base station (BS) 
and mobile station (MS) and establishes a shared secret which 
is used to secure the exchange of traffic encryption keys 
(TEKs). There are six messages in all, but since the secrecy 


of TEKs depends on the secrecy of prepak, and the last three 
messages is resilient against AKC attack, then we only need 
to look at the first three messages. The protocol proceeds as 
follows: 

1 . MS —)■ BS : {msrand,said,MS}sk{MS) 

2. BS — >■ MS : {msrandjbsrand, 

{prepak, AIS}pk(MS), BS}skiBS) 

3. MS BS : {bsrand}sk{Ms) 

The secrecy of prepak is based on the secrecy of mobile 
station’s long-term secret key sk{MS). Then there is AKC 
attack on secrecy of TEKs and agreement of both sides. We 
implement the protocol by using said to encrypt prepak in 
message 2, and add hash function on message 3, which is an 
example of the transformation scheme of Propositions 1 and 
2. The modified protocol is as follows. 

1. MS —>■ BS : {'msrand,{said{pk(B)^MS{sk{MS) 

2. BS MS : {msrand, bsrand, 

{{prepak{saidi ^pk(^MS ); BS{sk{BS) 

3. MS —>■ BS : {h{bsrand, msrand,prepak)}sk(MS) 

As shown in Table 1, this modified protocol satisfies the 
nisync/i-property, the claim on the secrecy of prepak holds. 

5.2. Kerberos 

Kerberos EH is designed to authenticate clients to multiple 
networked services. PKINIT, an extension of Kerberos 5, is 
modified to allow public-key authentication. The basic Ker¬ 
beros has four parties: Client (C), whose goal is to authenticate 
itself to various application servers; Kerberos Authentication 
Server (KS), who provide ’’ticket-granting ticket” (TGT); 
Ticket-Granting Server (TS), who is presented TGT and then 
provide ’’server ticket” (ST) to client. ST is the credential that 
client uses to authenticate herself to the application server. 
Since role C talk to KS, TS and S separately, we can divide 
the protocol to three two-party parts. We show the first part 
below: 

1. C^KS: [Tc, n, C, KS, TS}sk{C) 

2. KS^C: {{k, H{C, TS, [Tc, n, C, KS, T5},fc(c)), 
TGT},kiKS)}pKC ), {AK, Tk, TS}k 

The main issue is to ensure secrecy of ST before client sends 
it to the server, and the secrecy of ST depends on secrecy 
of AK, which depends on secrecy of k. However, k can be 
revealed if the intruder knows sk(C) and it is easy for the 
intruder to fake a message 2 and sent it to KS. Therefore we 
use Propositions 1 and 2 to modify message 2 as follows. 

{{{fc}„, H{C, TS, n, [Tc, n, C, KS, 

C, TGT}sk(KS)}pHC ), [AK, n, Tk, TS}k 

Then part 1 can achieve both secret and nisynch property. 
The other two parts can be modified similarly. 





5.3. Cardholder-Registration 

Cardholder-Registration protocol ini is the first part of 
SET protocol in online purchase. It comprises three message 
exchange between the cardholder and a certificate authority. 
In the first exchange, the cardholder requests registration and 
is given the certificate authority’s public keys. In the second 
exchange, the cardholder supplies his credit card number 
(PAN) and receives an application form for the bank that 
issued his credit card. In the third exchange, the cardholder 
returns the completed application form and delivers his public 
signature key and supplies a CardSecret. This process is as 
follows. 

1. C —>■ CA : {C,Ncl}p^cA) 

2. CA^C ■.{C,H{Ncl)}^kiC) 

Z.C^CA: {C, Nc2, H{PAN)},i, {cl, PAN}pk(CA) 

A.CA^C: {C, Nc2, Nca}pk(c) 

5. C^CA: {C,Nc3,c2,pk{C),{H{C,Nc3,c2,pk{C), 
PAN, NsecC)}sk(c)}c 3 , {c3, PAN, NsecC}pk(CA} 

6 . CA-^C: {C, c3, CA, NsecCA }^2 

The protocol is not secure: the secrecy PAN, NsecC, and 
NsecCA will be revealed if C or CA’s long-term secret key 
is compromised. It also fails to reach agreement: message 3, 
4 or 5, 6 contains no previously received messages, and is 
thus vulnerable to parallel attacks. We can modify the protocol 
by inserting a new nonce Nc4 to encrypt PAN and NsecC 
and adding hash tags in each message to guarantee nisynch 
property. The modihed protocol is as follows. 

1. C —CA : {C, Ncl}pk(CA) 

2. CA^C: {C, H{Ncl, NcA), NcA\pk(c) 

3. CA : {C,Nc2,H{PAN)}^i,{{cl,PAN}Nci, 
H{C, Nc2, Ncl, cl)}pkicA) 

4. CA ^ C : (C, Nc2, {A^ca} Ncl, 

H{Nc2, Nca, Ncl)}pk(c) 

5. C ^ CA : (C, NcS, c2,pk{C), {H{C, NcS, c2, 
pk{C), PAN, Nc 2 , Nca, Ncl, NsecC)}sk{c)}c 3 , 

{c3, PAN, {NsecC}Nc 4 }pkiCA) 

6. CA ^ C : {{C, c3, CA, {NsecCA} nci, 

H{Nc2, Nca, Ncl, NsecC, NsecCA)}sk{cA)}c 2 

The modihcation guarantees the secrecy of PAN and the 
nfsync/i-property. 

6. Concluding Remarks 

This paper gives an analysis of AKC attacks and provides 
solutions to enhance the level of security. We consider four 
types of AKC attacks and give the dehnition of these types. 
Then based on the attack types, we provide techniques for 
transformation of protocols. A guiding principle in design¬ 
ing security protocol under potential AKC attacks is using 


short-term keys to ensure secrecy, hash functions to maintain 
agreement and role names to prevent role-mixup attack. We 
have applied the techniques to the transformation of practical 
protocols and have used the verification tool Scyther to show 
that the modihed protocols have achieved higher level of 
security. 
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7. Appendix 
7.1. Proofs 

Before presenting the proofs of the propositions and corol¬ 
laries, we present 3 lemmas. Lemma 1 states that if some 
term t is secret before some event and no parts of t occur in 
accessible positions in the later events, then it keeps secret at 
the end of the sequence of the events. Lemma 2 states that a 
term encrypted by a secret nonce must have been sent by an 
agent, because no derivation of the term from AKg is possible. 
Lemma 3 states a similar property with a hashed term. 

Lemma 1: Let s, s' be states such that s' —s. Suppose 
that last{trs') = {tid,e') and last{trs) = {Test,e), where 
last{) denotes the last element of a sequence. Suppose that 
t Eacc cont{e'). If for all e" such that label{e') < label{e'') < 
label{e), each f" Qacc cont{e") has never been used before 
s', then 

AKgi L as\Test{t) AKs F as,Testii)- 

Proof of Lemma 1: Using the execution rules and adversary 
rules, we have AKg = AKg' U K where K denotes newly 
added adversary knowledge between /' and 1. We want to 
prove that AK^ L as,Test{t). We have AKs' L as,Test{t), 
and t %acc cont(e") for every e" that appears between s' and 
s, then we get t %acc K. Because for each term f" that we 
get from accessible position of e", t" has never been used 
before, thus K is not helpful in deducing t. Then we get 

AKs ^s,Testit). 

Lemma 2: Suppose that n = with c S Const, 

k S Fresh, 'm,n S Runterm, tid € TID. Let s be 
a reachable state such that AKg F If 

trs ■ {{Test,recvi{a,b,{m}pk(^i,)))) G Traces(Jl,typen) for 
some a, b, I, then 

3{tid, e') G trs.{evtype{e') = send A n cont{e')). 

Proof of Lemma 2: Since AKg F k, no derivation of 
CTs,Test({w, c}fc) can end in a composition step, which implies 
that TO Eacc AKs by Lemma 6 of ID. Therefore there exists 
tid' G TID, e G RunEvent such that (tid',e) G trg, 
evtype(e) = send, and n Uacc cont{e). 

Lemma 3; Suppose that TO = (/i(n,f),with h G 
Func, n,t G Fresh, tid G TID. Let s be a reach¬ 
able state such that AKg F CTs,Test{n*^^^*). If trs ■ 

{{Test,recvi{a,b,{m,c}pk(b)))) G Traces(n,fypen) for 

some c G Const and a, b, I, then 

3{tid,e) G trs.{evtype{e) = send A m contie)). 

Proof of Lemma 3: Since AKg F and has 

first appear in to, we get AKg L to. If to can be forged by 
adversary, then it has to know which is not accessible 

by adversary. That means no derivation of as,Test{rn) can end 


in a composition step. Then we get to AKg by Lemma 
6 in El- Therefore there exists tid' G TID, e G RunEvent 
such that {tid',e) G trg, evtype{e) = send, and to 
cont(e). 

Proof of Proposition 1: 

Let n' = TS(Jl). 

(1) We prove {A',typen') \=a claim^{R, secret, m). 

Let s G RS(II' ,typeu' , Rj such that 

(Test, ag^Testiclaim^(R, secret, G trg. 

The goal is to prove that AKg F ag 
Let N = {to, Csjfc G RoleTerm. 

According to Proposition 10 of 13, we get AKg F N. 
Since to N appears first time in N, we have AKg F 

(2) We prove (A',typen') \=A' claimi^(R', secret, m). 

Let s G RSiA',typeni, R', A!) such that 

(Test, ag^Test(claimi^(R', secret, m))) G trg. 

The goal is to prove that AKg F a'g^Test(m'^*"^). 

At step 1, we want to prove AKg F Ug^Test (k#Test)_ 

Let s' G RS(A',typeiii ,R', A') such that s' —>* s. 

Let tid' G TID and e' G Event such that (tid',e') = 
last(trgi), evtype(e') = send, Eacc cont(e'). 

According to Proposition 10 of E, we have AKg' F 

<yg',Test(k*'^^'‘*). 

By Lemma 1, we get AKg F Og ,Test(k*'^‘"'*). 

By Lemma 2, there exists tid', e such that (tid',e) G tvg, 
evtype(e) = send, m C^cc cont(e). 

Assume that I' ^ l^, then e is an instance of a tagged step of 
n, such that there exist t' G RoleTerm and tTg ) = 

cont(e) and sendi/(-,-,t') G Tcj^\s(A(roleg(tid))). 

Then there exists {fojti G S such that 
Crg,Ud'(TcA{{'to}ti)**’'‘^)) = erg^Test({m*'-"^,C3}k). 

This implies that ci = C 3 and contradicts the conditions of 
the transformation. 

Hence I' = I 3 . 

Since AKg F crs,Test(k "^'^and to^**"^ appears in e first 
time, according to Proposition 10 of E, we have that to"^*”^ 
is only accessible in the set AKg as a subterm of the term 

^SjTesi ({trr, 

Since we have proved that AKg F a surest (k#Test) 

, we have 

AKg^ag^TesM*^^^*). 

Proof of Proposition 2; 

Let H' = TS(A). 

(1) We prove (A',typeu') \=a claimi^(R, commit, R',n). 

Let s G RS(A',typeYii,R,A) such that 

(Test, a g^Test(claimi^(R, commit, R' ,nF*'“^))) G tvg. 

We prove that the corresponding running claim holds. 

Let t = (Tg^Test(h(m,n),n*^"^). 

Since AKg F ( 7 g^Test(nF'^'"^), by Lemma 3, there exists tid', 
e such that (tid', e) G trg, evtype(e) = send, t cont(e). 
Assume that I' 7 ^ li, then e is an instance of a tagged event 

of n'. 

Then there is a {to}t, G S and crs,t*d'(Tci(({fo}ii)^‘"^)) = 
( 7 g,Test({h(m,n),n**"^,C 2 }pk(R)), which contradicts Ci ^ 
C2- 


Hence V = li. Therefore the running claim holds. 

(2) We prove ijV,typeYi') \=A' daimi^{R, commit, R',n). 
Let s € RS{n' ,typeu', R, A) such that 
{Test, Gs,Test{claimi,^{R', commit, R,n^'^^^^))) G tVs- 
According to Proposition 10 of jJl and Lemma 1, we get 

The rest of the proof is similar to the above one, in which we 
use Lemma 3 to prove that the corresponding running claim 
holds. 

Proof of Corollary 1: If either R or R' long-term secret key 
is compromised, from the proof of Proposition 2, we know 
that 3 i,j,i',j' G N, i < j, i' < j', a,b G A, tid G TID and 
a reachable state s such that 

trs,i = (Ts,Test{sendi^{h,a, h{m,n),n**^‘^)), 
trs,j = aa,tid{recvi^{h,a,h{m,n),n**'^’’-)), 
trs,i' = as,tid{sendi^{a,b, h{n))), and 
tvsj' = aa,Test{recvi^{a,b,h{n))). 

Then according to the precondition, we have that for each 
label I G prec{l3), 3 i,j G N, i < j, tidi,tid2 G TID, such 
that Match{a,tidi,b,tid2) and ev{trs,i) = sendi{a,b,m) A 
ev{trsj) = recvi{a, b, m). 

This has violate the definition of substitution attack. There¬ 
fore the conclusion is correct. 

Proof of Corollary 2: Since we have proved there exists 
tidi,tid2 G TID such that Match{a,tidi,b,tid2) for cor¬ 
responding send and recv events, which also violates the 
definition of parallel attack, then the conclusion is correct. 

Proof of Proposition 3: 

Let p be arbitrary given, and let H' = TM{Ilp). 

(1) First, we prove that, for a reachable state s, AK^ F 
c!'s,Test{nk)- Since as,Test{nk) appears first time in the send- 
event of Rk, and each accessible position where as,Test{nk) 
appears is encrypted by pk{Rs) where (s ^ k), and Ak V- 
sk{Rs), therefore AKs F as,Test{nk)- 

(2) Then we prove that, each agent has the same assumption 
of agent names with others. For adversary Aq, if any agent 
has different assumption of agent names with a's,Test{Ro), 
because AKg F sk{as,Test{Rx)){x ^ 0) and agent names 
were transmitted between i?i and i?p_i by secret key, then 
o's,Test{Rp-i) has different assumption with (Js,Test{Ro)- 
Since AK^ F <Ts,Test{no), then as,Test{Msg{p - 1)) cannot 
end in a compositional step, then a's,Test{Ro) will find that 
he has different assumption with others, and terminates the 
protocol, which violates the premise of nisynch property. 
Therefore, for adversary Aq, all agent has the same assumption 
of agent names. The proof for other adversary A^ is similar. 

(3) We look at the role Rk with A = Ak for 0 < fc ^ p — 1. 
Let s G RS(n', typeu', Rk, A) with a position qi such that: 

= {Test, claimmkiRk^"’"’^'^^,nisynch)). 

Let qj-i,qj,qj+k be positions such that 0 ^ dj-i < Qj < 
Qj+k ^ Qi- 


Let Q, CTa 'j'ast{Rk—\), ^ CTa -J-ast{Rk), ^Itd C 

<ys,Test{Rk+i)- Then 

ev{tra,q._J = recvi^_^{a,b,Msg{k - 
ev{tra,q.) = 

=recvi^^^{a,b,Msg{k+p))*^^^K 

We want to prove that there are positions qj'-i, qp, qj'+k 
and tidi,tid 2 G TID, such that qj'-i < qj-i, qj < qp, 
qp+k < Qj+k, and 

ev{tra^q.,_J = sendi^,_^{a,b,Msg{k - (1) 

(^v{tra,q.,) =recvi^{b,c,Msg{k))**^‘^^, (2) 

= sendi,^^Ja,b,Msg{k+p))**"‘^G (3) 

(3a) First we look at label Ik+p- For adversary Ak, we have 
proved AKa F (Ja,Test{nk)- We use Lemma 3 to establish 
position qj'+k and tidi such that qp+k < Qj+k and the 
equalities ev{tra,q.,^J = sendi^_^^{a,b, Msg{k + p))**'^‘^G 

(3b) Then we look at label Ik-i- For adversary Ak, since 
AK F sk{Ri){i ^ k), and pk{Rk) can not be replaced 
as AR{x) has determined the agent, then no derivation of 
o's,tidi{sendi^_j^{a,b, MsgA{k — 1))) from AKa can end in 
a composition step. Then there exists Qj'-i < qj-i such that 
ev{tra,q.,_J = sendi,,,_^{a,b,Msg{k - 

(3c) At last we look at label Ik- We have proved that Rk 
has agree on Uk by receiving message Msg{k -fp). Then we 
deduce that Rk+i has Msg{k) which has Uk in accessible po¬ 
sitions. Since AK F sk{Ri){i ^ k), then there exists qji and 
qj < qj' such that ev{tra,q.,) = recu/^ (6, c, 

(4) At last, we look at the role Rq with A = Aq. 

Let s G RS{Il',typen',Ro,A). Since we already 
have AKs F <Js,Test{nQ), then by Lemma 3, we 
have that there exists a send-event corresponding to 
cccvi^_^{Rp-i,RQ,Msg{p — 1)). Since it is the only recv- 
event for Rq, we are done with the proof. 

7.2. Algorithms 

In this subsection, we present algorithms for the transforma¬ 
tion based on the transformation scheme provided in Section 
4. 

7.2.1. Protocol Syntax. For practical reasons, we make re¬ 
strictions on the protocol syntax. We require that the content 
in a message has some fixed structure. The terms in a protocol 
are organized such that role names appears first, and then fresh 
names, then hash functions, etc. Each fresh appears accessible 
only once in a message. The role in pk(r) should be the 
responder, and the role in sk(r) should be the initiator. Terms 
in the original message should not be encrypt by fresh names, 
but it can be encrypt after the transformation. The protocols 


are defined as follows. 


protocol 

:= mess*, claim* 

mess 

:= Role, Role, tm, tmp, tms, tmps, tmsp 

tm 

:= £ 1 tmr, tmf, tmh, tmn 

tmp 

^ 1 {l'm}pb,(^tmr) 

tms 

■ ^ 1 }l'm} gb,^fjar) 

tmh 

:= £ h{tmf) 

tmr 

:= Role* 

tmf 

:= Fresh* 

tmn 

:= £ 1 {tmf}Fresh 

tmps 

:= £ 1 {tm,tmp} sk(t7nr) 

tmsp 

.— £ 1 }tm, tms}pki^tmr) 

claim : 

:= (Role, secret. Fresh)* 

1 {Role, commit. Role, Fresh)* 

1 (Role, nisynch)* 


7.2.2. Functions. For events and messages, a set of operations 
are defined, cn collects fresh names in messages, chn collects 
fresh names appearing in hash functions, cs collects fresh 
names in secrecy-claims, cc collects fresh names in commit- 
claims. 

cn{mess) = 

{/ e Fresh \ 3s e tmf.(s Eocc mess A / Qacc s)}) 
chn{mess) = 

€ Fresh | 3s € imj.i^hi^s'^ ^acc mess A / Eacc s)} 
cs{claim, i) = 

{/ € Fresh \ cl = (i, secret, f) A cl € claim} 
cc{claim, i, r) = 

{/ € Fresh \ cl = {i, commit, r, f) A cl G claim} 

For / G Fresh, sk, pk denote the initiator’s secret key 
and responder’s public key, ps represents that the fresh was 
encrypt by public key hrst and then secret key, and it is similar 
with sp. We dehne fen function as encryption type of some 
fresh f in message. 


fen{f, mess) = 
( sk, 
pk, 
ps, 
sp, 

NULL, 


3s e tmsff Qacc s A s Qacc mess), 
3s e tmp.{f Eacc S A S Eacc TOCSs), 
3s e tmpsff Qacc S A s Qacc mess), 
3s e tmspff Qacc S A s Qacc mess), 
otherwise 


Then we dehne enc to encrypt / with s in messages. If / 
has been encrypt by s already, then do nothing. 


enc(/, s, mess) = 

{ mess, 
mess[f/{f}s]. 


fen{f, mess) = s oi 


We dehne eha to encrypt fresh set F with hash function. 
Let F C Fresh. 

eha{F, mess) = 

{ mess, F\{f G F\f G chn{mess)} = 0, 

mess • h{F), otherwise 

7.2.3. Algorithms. According to the transformation tech¬ 
niques presented in Section 4, we have designed algorithms for 
enhancing the security level of protocols. The pseudo-codes of 
the algorithms are in the next page. In the algorithms, i denotes 
the initiator and r the responder. 

Algorithm 1 This algorithm is based on Proposition 1 for 
ensuring secrecy under AKC. The algorithm works as fol¬ 
lows: we set secret_set_ini and secret_set_res to store 
freshes claims to be secret in initiator and responder. We 
go through each message, encrypt fresh in secret_set_ini or 
secret_set_res with secret short-term key which is generated 
by the other opposite party. 


Algorithm 1 transform-two-party-secrecy (protocol) 

1 : secret_set_ini = cs{claim,i) 

2 : secret_set_res = cs{claim,r) 

3: if secret_set_ini 7 ^ 0 or secret_set_res 0 then 
4: for each m G mess do 

5: ft = cnlrn) 

6: if m is the hrst message then 

7: ma = i, r. Request 

8 : mb=r,i,{ni}pk(i) 

9: Insert two messages ma, mb before m 

10 : for each n G secret_set do 

11 : enc{n,ni,m) 

12 : end for 

13: else 

14: if m is transmitted from i to r then 

15: k is a secret short-term key generated by r 

16: secret_set = secret_set_ini 

17: else 

18: k is a secret short-term key generated by i 

19: secret_set = secret_set_res 

20 : end if 

21: for each n G secret_set do 

22 : enc{n, k, m) 

23: end for 

24: end if 

25: end for 

26: end if 


Algorithm 2 This algorithm is based on Proposition 2 for 
ensuring the commit-property. The algorithm also go through 
each message, and encrypt fresh with secret key or hash 
function. We set com_set_ini and com_set_res to store 
freshes claims to commit in initiator and responder and assume 






secret values ni and nr. If the fresh is encrypted by secret key, 
then algorithm will follow Proposition 11. Otherwise, it will 
follow Proposition 2. 


Algorithm 2 transform-two-party-commit (protocol) 
1: com_set_ini = cc{claim,i,r) 

2: com_set_res = cc{claim, r, i) 

3: ni is a secret short-term key for i 

4: nr is a secret short-term key for r 

5: if com_set_ini 7 ^ 0 or com_set_res 7 ^ 0 then 

6 : for each m € mess do 

7: ft = cn{m) 

8 : if m is transmitted from i to r then 

9: com_set = com_set_res 

10: ns = ni 

11 : else 

12: com_set = com_set_ini 

13: ns = nr 

14: end if 

15: for each n G ft do 

16: if n € com_set then 

17: if fen{n,m) = NULL then 

18: enc{n,sk,m) 

19: else 

20: if fen{n, m) = pk then 

21: eha{{ns,n},m) 

22: end if 

23: end if 

24: end if 

25: end for 

26: end for 

27: end if 





